TSLSA-2007-0009 - multi



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0009

Package names: gnupg, php4
Summary: Multiple vulnerabilities
Date: 2007-03-09
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Secure Linux 3.0.5
Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in compliance
with the OpenPGP specification (RFC2440).

php4
PHP is an HTML-embedded scripting language. PHP attempts to make
it easy for developers to write dynamically generated web pages.
PHP also offers built-in database integration for several commercial
and non-commercial database management systems, so writing a
database-enabled web page with PHP is fairly simple. The most
common use of PHP coding is probably as a replacement for CGI
scripts. The mod_php module enables the Apache web server to
understand and process the embedded PHP language in web pages.

Problem description:
gnupg < TSL 3.0.5 > < TSL 3.0 >
- New Upstream.
- SECURITY Fix: GnuPG 1.4.6 and earlier, when run from the command
line, does not visually distinguish signed and unsigned portions
of OpenPGP messages with multiple components, which might allow
remote attackers to forge the contents of a message without
detection.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1263 to this issue.

php4 < TSL 2.2 > < TSEL 2 >
- New Upstream.
- Fixes crash problem with the session extension when register_globals
is turned on.
- SECURITY Fix: Several vulnerabilities have been reported in PHP,
which can be exploited by malicious people to disclose potentially
sensitive information, cause a DoS and potentially compromise a
vulnerable system. (SA24089)

Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.


Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.


Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.


Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>


Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>

The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/>
<URI:http://www.trustix.org/errata/trustix-3.0/> and
<URI:http://www.trustix.org/errata/trustix-3.0.5/>
or directly at
<URI:http://www.trustix.org/errata/2007/0009/>


MD5sums of the packages:
- --------------------------------------------------------------------------
bafa34d79da94e06cbced9fb6be856bc 3.0.5/rpms/gnupg-1.4.7-1tr.i586.rpm
a4eec3de278ba9cf3d281079bc25ca48 3.0.5/rpms/gnupg-utils-1.4.7-1tr.i586.rpm

bf409ef7bd3f2ccb039063968d3f39d2 3.0/rpms/gnupg-1.4.7-1tr.i586.rpm
2a66ba2cc799d8acb648072e49d46227 3.0/rpms/gnupg-utils-1.4.7-1tr.i586.rpm

639bde6894ecc53c8cf198a57d86abfa 2.2/rpms/php4-4.4.6-1tr.i586.rpm
87de267da760309c46a7ef2b682fff2b 2.2/rpms/php4-cli-4.4.6-1tr.i586.rpm
180ba74efc954cb4d63d8e613eb9cda8 2.2/rpms/php4-curl-4.4.6-1tr.i586.rpm
3a100aacfd5fdc5a8c79246abfe436cf 2.2/rpms/php4-devel-4.4.6-1tr.i586.rpm
3c9c2b6d34e91997ca9e3c9e1e2bd69d 2.2/rpms/php4-domxml-4.4.6-1tr.i586.rpm
4f6e0cc934aad6fd0d367e6e3f1f083b 2.2/rpms/php4-exif-4.4.6-1tr.i586.rpm
4bb5a6780ce263b7f963c74c0a7c68a4 2.2/rpms/php4-fcgi-4.4.6-1tr.i586.rpm
7b5c1a560fb13ede6508864f929ed2fd 2.2/rpms/php4-gd-4.4.6-1tr.i586.rpm
743a1f4180b61820e202e1a7adc2fbbb 2.2/rpms/php4-imap-4.4.6-1tr.i586.rpm
9dd9d2ab1537a0218467df98d7cc32e7 2.2/rpms/php4-ldap-4.4.6-1tr.i586.rpm
79bfff33013dc930ece67d8411ac5b56 2.2/rpms/php4-mhash-4.4.6-1tr.i586.rpm
adaa356574ff08c2e54db4084950a10d 2.2/rpms/php4-mysql-4.4.6-1tr.i586.rpm
59ba6c4c1d985f17a5a6b49532ff1157 2.2/rpms/php4-pgsql-4.4.6-1tr.i586.rpm
22b3e87e3b97c4b7bf4b7dd5c04c98bf 2.2/rpms/php4-test-4.4.6-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFF8XgFi8CEzsK9IksRAs17AJ4rmCUrBzXNbJSUxOgb6+pR2z6CAQCgrQhG
ZYIlB63QwyMVVKxvFA3LfCA=
=0Sj4
-----END PGP SIGNATURE-----



Relevant Pages

  • TSLSA-2006-0055 - multi
    ... Trustix Secure Linux Security Advisory #2006-0055 ... Affected versions: Trustix Secure Linux 2.2 ... This package contains the slapd ... PHP is an HTML-embedded scripting language. ...
    (Bugtraq)
  • TSLSA-2005-0059 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... use of Rest with FTP servers and Range with HTTP servers to retrieve files ... - New Upstream and Multiple Vendor Security Fixes ...
    (Bugtraq)
  • TSLSA-2006-0061 - multi
    ... Trustix Secure Linux Security Advisory #2006-0061 ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... We recommend that all systems with this package installed be upgraded. ...
    (Bugtraq)
  • TSLSA-2006-0057 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... The package provides a flexible and scalable multi-threaded ... SECURITY Fix: Two vulnerabilities have been reported in Clam ...
    (Bugtraq)
  • TSLSA-2007-0026 - multi
    ... Trustix Secure Linux Security Advisory #2007-0026 ... Affected versions: Trustix Secure Linux 2.2 ... Some vulnerabilities have been reported in ClamAV, ... due to an input validation error when extracting tar archives. ...
    (Bugtraq)